A forensic insight into Windows 10 Jump Lists
نویسندگان
چکیده
The records maintained by Jump Lists have the potential to provide a rich source of evidence about users’ historic activity to the forensic investigator. The structure and artifacts recorded by Jump Lists have been widely discussed in various forensic communities since its debut in Microsoft Windows 7. However, this feature has more capabilities to reveal evidence in Windows 10, due to its modified structure. There is no literature published on the structure of Jump Lists in Windows 10 and the tools that can successfully parse the Jump Lists in Windows 7/8, do not work properly for Windows 10. In this paper, we have identified the structure of Jump Lists in Windows 10 and compared it with Windows 7/8. Further, a proof-of-concept tool called JumpListExt (Jump List Extractor) is developed on the basis of identified structure that can parse Jump Lists in Windows 10, individually as well as collectively. Several experiments were conducted to detect anti-forensic attempts like evidence destruction, evidence modification and evidence forging carried out on the records of Jump Lists. Furthermore, we demonstrated the type of artifacts recorded by Jump Lists of four popular web browsers with normal and private browsing mode. Finally, the forensic capability of Jump Lists in Windows 10 is demonstrated in terms of activity timeline constructed over a period of time using Jump Lists. © 2016 Elsevier Ltd. All rights reserved.
منابع مشابه
Forensic Analysis of the Windows 7 Registry
The recovery of digital evidence of crimes from storage media is an increasingly time consuming process as the capacity of the storage media is in a state of constant growth. It is also a difficult and complex task for the forensic investigator to analyse all of the locations in the storage media. These two factors, when combined, may result in a delay in bringing a case to court. The concept o...
متن کاملInvestigating America Online Instant Messaging Application: Data Remnants on Windows 8.1 Client Machine
Instant messaging applications (apps) are one potential source of evidence in a criminal investigation or a civil litigation. To ensure the most effective collection of evidence, it is vital for forensic practitioners to possess an up-to-date knowledge about artefacts of forensic interest from various instant messaging apps. Hence, in this chapter, we study America Online Instant Messenger (ver...
متن کاملWindows Instant Messaging App Forensics: Facebook and Skype as Case Studies
Instant messaging (IM) has changed the way people communicate with each other. However, the interactive and instant nature of these applications (apps) made them an attractive choice for malicious cyber activities such as phishing. The forensic examination of IM apps for modern Windows 8.1 (or later) has been largely unexplored, as the platform is relatively new. In this paper, we seek to deter...
متن کاملA Forensic Analysis of the Windows Registry
This paper will introduce the Microsoft Windows Registry database and explain how critically important a registry examination is to computer forensics experts. In essence, the paper will discuss various types of Registry footprints and delve into examples of what crucial information can be obtained by performing an efficient and effective forensic examination. Many of the Registry keys that a...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- Digital Investigation
دوره 17 شماره
صفحات -
تاریخ انتشار 2016